From mboxrd@z Thu Jan 1 00:00:00 1970 From: William Roberts Subject: [PATCH v3.4] - audit cmdline on events Date: Mon, 18 Nov 2013 16:41:18 -0800 Message-ID: <1384821680-28829-1-git-send-email-wroberts@tresys.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: rgb@redhat.com List-Id: linux-audit@redhat.com Draft versions of some work I have been doing auditing the cmdline value on events. The reason for this, is that I need to get the package name in Android in the audit records. Often times, the app dies before userspace would be able to get it from procfs. I'll (attempt) to summarize the feedback so far. * RGB - Can we make this dynamic? ** This was nak'd by Steve Grubb and subsequently dropped from these patches. * Stephen Smalley - Can we cache this in audit struct for performance concerns? ** I think I address this in patch 2 * Steve Grubb - Is cmdline generic enough? Should we extend prctl for an extended comm field? ** The heart of the matter is some spot the process can stick more than 16 chars of data. I think this meets that, without having to modify prctl. * Steve Grubb - Can you use a user audit record? ** I can, but the downside is that it doesnt keep the same id with the related issues, you have to combine them by hand, by pid. Doesn't seem like a generic solution. Right now, the cache never gets invalidated, as their is no kernel interface on which to invalidate the cache on. This would be one win for adding to prctl. Once we have a clear way forward on this, I can make the effort to port to master. [PATCH 1/2] audit: Allow auditing of proc/self/cmdline value [PATCH 2/2] audit: Enable cacheing of cmdline in audit_context